E cosystem for Identity and Access Management Michael Hodges ITS Identity and Access Management University of Hawaii 2015 1 What is Pragmatic Programming The UHIMS Ecosystem UHIMS Ecosystem Solutions ID: 808536
Download The PPT/PDF document "For the Pragmatic, the UHIMS" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
For the Pragmatic, the UHIMS Ecosystem (for Identity and Access Management)
Michael HodgesITS, Identity and Access Management
University of Hawaii © 2015
1
Slide2What is Pragmatic Programming?
The UHIMS EcosystemUHIMS Ecosystem SolutionsEcosystem Enhancements Under Way
UHIMS Dreams and
Blue Sky
Visions
Looking ahead, UH joins Internet2’s TIER
University of Hawaii © 2015
2
What to talk about today?
Slide3A book
“The Pragmatic Programmer, From Journeyman to Master” A mindset that will help youKeep it DRY
KISS better
Decouple by design
Minimize
technical debt
Future-proof apps
University of Hawaii © 2015
3
What is Pragmatic
Programming?
Slide4Keep it DRY
Don’t Repeat Yourself– a design principle.Write code once, reference it as needed.Don’t
reinvent the
wheel, if possible.
Leverage UHIMS solutions that fit
your needs (it will be well
worth the learning curve).
DRY requires good
planning
.
University of Hawaii © 2015
4
What is Pragmatic
Programming?
Slide5A mindset that
will help youKeep it DRYKISS better
Decouple by design
Minimize
technical debt
Future
-proof apps
University of Hawaii © 2015
5
What is Pragmatic
Programming?
Slide6KISS better
Keep It Simple and Short – a design principleSmall, simple software subcomponents reduce complexity, are easier to manage.Create only the subcomponents that you must create; keep your custom code footprint as small as possible.
Embrace integration, leverage existing solutions.
University of Hawaii © 2015
6
What is Pragmatic
Programming?
Slide7A mindset that
will help youKeep it DRYKISS betterDecouple by design
Minimize
technical debt
Future
-proof
apps
University of Hawaii © 2015
7
What is Pragmatic
Programming?
Slide8Decouple by design
Utilize Message BrokeringIncrease availability/uptimeIncrease flexibility
Conceptualize
apps as
Message producers, and
Message consumers
University of Hawaii © 2015
8
What is Pragmatic
Programming?
Slide9Decouple by
designUniversity of Hawaii © 20159What is Pragmatic Programming?
Slide10A mindset that
will help youKeep it DRYKISS betterDecouple by
design
Minimize technical debt
Future
-proof
apps
University of Hawaii © 2015
10
What is Pragmatic
Programming?
Slide11Minimize technical debt
Technical debt: the things you should have taken care of in your code, but didn’t, e.g.:deferred features, deferred documentation, deferred regression tests, performance, etc.
S
oftware entropy (a related concept)
Unaddressed technical debt increases software entropy
Utilized software will
be
modified.
Modified software increases in complexity (unless successfully refactored).
University of Hawaii © 2015
11
What is Pragmatic
Programming?
Slide12A mindset that
will help youKeep it DRYKISS betterDecouple by
design
Minimize
technical debt
Exceed expectations
Future-proof apps
University of Hawaii © 2015
12
What is Pragmatic
Programming?
Slide13Future
-proof (one must try)Align with the expanding UHIMSEmerging Group/Authorization management practices.
Emerging 2nd
factor authentication options.
Future End-User profile
management.
Future attribute release consent options.
Leverage
the
work
of other project teams
College of Ed’s WordPress plugin, Authorizer.
Bursar’s hosted
eCommerce
solution.Internet2 community.
Anticipate TIER, an Internet2 IAM project
TIER: Trust and Identity in Education and Research.
Includes: Certs, Assurance, MFA,
Shib
, Grouper,
COmanage
,
eduPerson
,
eduOrg
, MACE Registries, IAM for higher ed.
University of Hawaii © 2015
13
What is Pragmatic
Programming?
Slide14Practical Pragmatic Examples
Report writing, output data to a csv file for import to Excel.CAS for authentication.CAS attributes for authorization.
UH Groupings for authorization, anywhere that the “is member of” question comes up.
UH Message Broker to separate apps that publish (liberate) information from apps that consume information.
University of Hawaii © 2015
14
What is Pragmatic
Programming?
Slide15University of Hawaii © 201515The UHIMS
Ecosystem
A non-chronological review of the development of the UHIMS Ecosystem
Slide16Person Directory UpdatesAdmin Updates
Person Events Person Events
AuthN/Z Services
Applications
Systems of Record
Directory Services
Banner
PS HR
RCUH
SECE
KFS
MyGrant
UHIMS Ecosystem (circa
2015)
University of Hawaii © 2015, TI-SYS-IAM
Revised 03/11/2015
Slide17Person Directory UpdatesAdmin Updates
Person Events Person Events
AuthN/Z Services
Applications
Systems of Record
Directory Services
Banner
PS HR
RCUH
SECE
KFS
MyGrant
UHIMS Ecosystem (circa
2015)
University of Hawaii © 2015, TI-SYS-IAM
Revised 03/11/2015
UHIMS
Person
Registry
Slide18University of Hawaii © 201518The UHIMS
Ecosystem
staff.civilService
staff.executive
staff.apt
staff.casual
staff.overload
staff.noDetails
staff.nonCompensated
faculty.communityCollege
faculty.university
faculty.medical
faculty.researcher
faculty.specialist
faculty.countyAgent
faculty.librarian
faculty.law
faculty.emeritus
faculty.overload
faculty.noDetails
f
aculty.courseInstructor
faculty.lecturer
faculty.teachingAssistant
faculty.researchAssistant
studentEmployee.workStudy
studentEmployee.studentHire
student.graduate.law
student.graduate.medical
student.graduate.noDetails
student.undergraduate.noDetails
student.other.apprenticeship
student.other.continuingEducation
student.other.postBaccalaureate
student.other.professional
student.other.vocational
student.other.undeclared
nonCreditStudent.noDetails
nonCreditStudent.etc
preStudent.noDetails
preStudent.accepted
preStudent.applicant
o
hana
retiree
other
The roles UHIMS aggregates:
Slide19Person Directory UpdatesAdmin Updates
Person Events Person Events
AuthN/Z Services
Applications
Systems of Record
Directory Services
Banner
PS HR
RCUH
SECE
KFS
MyGrant
UHIMS Ecosystem (circa
2015)
University of Hawaii © 2015, TI-SYS-IAM
Revised 03/11/2015
UHIMS
Person
Registry
Slide20Person Directory UpdatesAdmin Updates
Person Events Person Events
AuthN/Z Services
Applications
Systems of Record
Directory Services
Banner
PS HR
RCUH
SECE
KFS
MyGrant
UHIMS Ecosystem (circa
2015)
University of Hawaii © 2015, TI-SYS-IAM
Revised 03/11/2015
UHIMS
Person
Registry
LDAP
389DS
RADIUS
A
uthN
CAS3
A
uthN
Campus
Wireless
Web Apps
registered
UHIMC
BMT
WPMS
API
VIA
Slide21Person Directory UpdatesAdmin Updates
Person Events Person Events
AuthN/Z Services
Applications
Systems of Record
Directory Services
Banner
PS HR
RCUH
SECE
KFS
MyGrant
UHIMS Ecosystem (circa
2015)
University of Hawaii © 2015, TI-SYS-IAM
Revised 03/11/2015
UHIMS
Person
Registry
LDAP
389DS
RADIUS
A
uthN
CAS3
A
uthN
Campus
Wireless
Web Apps
registered
UHIMC
BMT
WPMS
API
Shib IdP
A
uthN
Google
@
UH
Web Apps
federated
VIA
Slide22Person Directory UpdatesAdmin Updates
Person Events Person Events
AuthN/Z Services
Applications
Systems of Record
Directory Services
Banner
PS HR
RCUH
SECE
KFS
MyGrant
UHIMS Ecosystem (circa
2015)
University of Hawaii © 2015, TI-SYS-IAM
Revised 03/11/2015
UHIMS
Person
Registry
LDAP
389DS
RADIUS
A
uthN
CAS3
A
uthN
Campus
Wireless
Web Apps
registered
UHIMC
BMT
WPMS
API
CON
CON
PR
PR
PR
CON
Msg
Broker
[
exchanges ]
Message Producer
PR
CON
Message Consumer
VIA
Google
@
UH
Web Apps
federated
Shib IdP
A
uthN
Slide23Person Directory UpdatesAdmin Updates
Person Events Person Events
AuthN/Z Services
Applications
Systems of Record
Directory Services
Banner
PS HR
RCUH
SECE
KFS
MyGrant
UHIMS Ecosystem (circa
2015)
University of Hawaii © 2015, TI-SYS-IAM
Revised 03/11/2015
UHIMS
Person
Registry
LDAP
389DS
RADIUS
A
uthN
CAS3
A
uthN
Campus
Wireless
Web Apps
registered
UHIMC
BMT
WPMS
API
LISTSERV
lists
CON
CON
PR
PR
PR
CON
Msg
Broker
[
exchanges ]
Message Producer
PR
CON
Message Consumer
Shib IdP
A
uthN
Google
@
UH
Web Apps
federated
VIA
UH Groupings
Grouper
AuthZ
Slide24Person Directory UpdatesAdmin Updates
Person Events Person Events
AuthN/Z Services
Applications
Systems of Record
Directory Services
Banner
PS HR
RCUH
SECE
KFS
MyGrant
UHIMS Ecosystem (circa
2015)
University of Hawaii © 2015, TI-SYS-IAM
Revised 03/11/2015
UHIMS
Person
Registry
LDAP
389DS
RADIUS
A
uthN
CAS3
A
uthN
Campus
Wireless
Web Apps
registered
UHIMC
BMT
WPMS
API
LISTSERV
lists
CON
CON
PR
PR
PR
CON
Msg
Broker
[
exchanges ]
Message Producer
PR
CON
Message Consumer
Shib IdP
A
uthN
Google
@
UH
Web Apps
federated
VIA
ACER
UH Groupings
Grouper
AuthZ
Slide25Person Directory UpdatesAdmin Updates
Person Events Person Events
AuthN/Z Services
Applications
Systems of Record
Directory Services
Banner
PS HR
RCUH
SECE
KFS
MyGrant
UHIMS Ecosystem (circa
2015)
University of Hawaii © 2015, TI-SYS-IAM
Revised 03/11/2015
UHIMS
Person
Registry
LDAP
389DS
RADIUS
A
uthN
CAS3
A
uthN
Campus
Wireless
Web Apps
registered
UHIMC
BMT
WPMS
API
LISTSERV
lists
CON
CON
PR
PR
PR
CON
Msg
Broker
[
exchanges ]
Message Producer
PR
CON
Message Consumer
Shib IdP
A
uthN
Google
@
UH
Web Apps
federated
VIA
ACER
UH Groupings
Grouper
AuthZ
Campus
OneCard
Slide26Person Directory Updates
Admin UpdatesPerson Events Person Events
AuthN/Z Services
Applications
Systems of Record
Directory Services
Banner
PS HR
RCUH
Grouper
AuthZ
LDAP
389DS
AD
AuthN only
LISTSERV
lists
CAS3
A
uthN
Shib IdP
A
uthN
Web Apps
registered
Google
@
UH
Campus
AD domains
RADIUS
A
uthN
UHIMC
ACER
VIA
BMT
WPMS
SECE
KFS
MyGrant
API
PR
CON
CON
CON
UHIMS Ecosystem (circa
2015)
Message Producer
Web Apps
federated
Campus
Wireless
PR
CON
Message Consumer
University of Hawaii © 2015, TI-SYS-IAM
PR
UH Groupings
PR
Msg
Broker
[
exchanges ]
Campus
OneCard
UHIMS
Person
Registry
Revised 03/11/2015
Slide27Authentication Solutions:
CASShibbolethLDAP
Authorization Solutions:
ACER
Grouper
UH Groupings and the UH Group Store
UHIMS Events
Decoupling Solutions:
UH Message Broker
University of Hawaii © 2015
27
UHIMS Ecosystem Solutions
Slide28CAS – Central Authentication Service
Used by UH Apps for AuthenticationDefault Attribute Release PolicyUH Data Governance policies apply (E2.215).
IAM and the Data Governance Committee (DGC) have created SOPs for standard requests.
Non-standard requests, such as for hosted apps, must first be approved by the DGC.
https://www.hawaii.edu/bwiki/display/UHIAM/CAS+Default+Attribute+Release+
Policy
http://
www.hawaii.edu
/
uhdatagov
/
University of Hawaii © 2015
28
UHIMS Ecosystem Solutions,
Authentication
Solutions
Slide29CAS – Central Authentication Service
Attributes useful for Authorization:eduPersonAffiliation (faculty)
eduPersonOrgDN
(
kauaicc
)uhOrgAffiliation
(eduPersonOrgDn=
kauaicc,eduPersonAffiliation=
faculty)
uhAcknowledgement
(generalConfidentialityNotice
=20141231T000000)
University of Hawaii © 2015
29
UHIMS Ecosystem Solutions,
Authentication
Solutions
Slide30CAS – Central Authentication Services
Web App Form, URLs must be registeredhttps://www.hawaii.edu/bwiki/display/UHIAM/Web+App+Registration+Form
Developer Documentation
https://
www.hawaii.edu
/
bwiki/display/UHIAM/CAS3+Developer+
Documentation
University of Hawaii © 2015
30
UHIMS Ecosystem Solutions,
Authentication
Solutions
Slide31CAS (manual standby)
CAS – Central Authentication ServicesInfrastructure
University of Hawaii © 2015
31
UHIMS Ecosystem Solutions,
Authentication
Solutions
Load Balancer
CAS (active)
CAS (hot standby)
h
ealth
checks
Slide32Shibboleth Identity Provider (UH
IdP)Used by non-UH apps for federated authenticationAttribute Release PolicyTailored to the minimal requirements.
Targeted IDs used where possible to protect privacy
Federated apps must
be
registered
Exception is apps in the Research and Scholarship category
Infrastructure
Identical to CAS
University of Hawaii © 2015
32
UHIMS Ecosystem Solutions,
Authentication
Solutions
Slide33LDAP, lightweight directory access protocol
Deprecated for authentication, use CASExceptions are scrutinized.CAS attribute release policy is continually enhanced to mitigate need.
Default Attribute Release Policy
Identical to CAS
Also subject to the IAM Data Governance Framework
University of Hawaii © 2015
33
UHIMS Ecosystem Solutions,
Authentication
Solutions
Slide34Grouper
Addresses the fundamental “is member of” requirement and provides rich logic. For example, Is person a member of ITS, sits on the 6th floor of the ITC building, is currently taking credit classes, and therefore eligible for a tuition waiver?
Provides a UI and API.
Internet2 software, very active project.
Very popular in the higher
ed community.
A component of TIER
University of Hawaii © 2015
34
UHIMS Ecosystem Solutions,
Authorization Solutions
Slide35A UH Grouping:
Is a simple or complex expression of group membershipIs composed of 3 groups, conceptually:Basis, Include, ExcludeHas 1 or more OwnersHas 0 or more MembersHas properties that an Owner can configureIs reusable, can serve multiple purposesApplication authorization (who can do what)LISTSERV list publication (email notifications)
University of Hawaii © 2015
35
UHIMS Ecosystem Solutions,
Authorization Solutions
Slide36A UH Grouping
example, UH Hilo email discussion list:Basis group: all UH Hilo facultyAutomatically kept current by UHIMSInclude group: (may be empty)Others that would like to participate, such as RCUH employees at UH Hilo.Exclude group: (may be empty)Those that wish to be left out of the discussions.
University of Hawaii © 2015
36
UHIMS Ecosystem Solutions,
Authorization Solutions
Slide37University of Hawaii © 201537UHIMS Ecosystem Solutions,
Authorization SolutionsBasisInclude
Exclude
UH Grouping
Slide38University of Hawaii © 2015
38
UHIMS Ecosystem Solutions,
Authorization Solutions
Basis:
UHH Faculty
Include:
a few RCUH Employees
Exclude: several dissatisfied individuals
Objective:
implement
a campus
mailing
list
UH Grouping
Slide39What can UH Grouping be used for?
Email LISTSERV List managementNo need to manual manage the entire listComplex role-based permissions management.Opt-in/out services, when members are suitably allowed.Any combination of the above (reuse)University of Hawaii © 201539
UHIMS Ecosystem Solutions,
Authorization Solutions
Slide40UH Grouping limitations?
Currently, members must have a UH Number.University of Hawaii © 201540UHIMS Ecosystem Solutions,
Authorization Solutions
Slide41University of Hawaii © 201541
UHIMS Ecosystem Solutions,Authorization Solutions
UHIMS Events:
UH Person Identity Messages published to the UH Message Broker.
A
convenient way to receive identity, affiliation, and contact information.
Use for automatically updating on-board application authorization information.
Slide42University of Hawaii © 201542UHIMS Ecosystem Solutions,
Decoupling Solutions
UH Message Broker:
Uses RabbitMQ, an open-source project
Simple to set up
ScalableBehind India’s 1.2B person biometric database.Separates message producers from message consumersMessages are stored in Exchanges
Slide43University of Hawaii © 201543UHIMS Ecosystem Solutions,
Decoupling Solutions
UH Message Broker implementations:
Banner producer
, student enrollment and degree objective information.
HCC AD consumer
, UHIMS Events
KFS consumer
, UHIMS Events
myGrant
consumer, UHIMS EventsMyUH consumer, UHIMS EventsSECE producer
, SECE events UHIMS consumer, Banner & SECE events
UHIMS producer
, UHIMS Events
Slide44Ecosystem Enhancements
Under Way, 12-18 months
Multifactor Authentication
Initially for faculty, staff (students later)
UH Message Broker Infrastructure
Clustering for high availability
CAS/
Shib
Infrastructure
Shib
support for the CAS protocol
Clustering for high availability
IAM Data Element Dictionary additions
uhScopedHomeOrg
(primary campus, Banner/PS)
uhMemberOfGrouping
(advanced
AuthZ
)
UH Groupings
UI improvements
University of Hawaii © 2015
44
Slide45University of Hawaii © 201545
UHIMS Dreams & Blue Sky Visions
Multifactor Authentication
To protect all of our servers, inside and outside the data center.
As a requirement for all of our Admin apps.
As an opt-in service for the entire UH community.
Slide46University of Hawaii © 201546
UHIMS Dreams & Blue Sky Visions
UH Groupings used ubiquitously
Comprehensive use of custom and automatic groups
Comprehensive enterprise-wide audit reports revealing who has access to what.
Automated enterprise provisioning/deprovisioning across all (applicable) apps.
Very easy to use for IT staff and users.
Slide47University of Hawaii © 201547
UHIMS Dreams & Blue Sky Visions
UH Groupings, more publication destinations:
LDAP groups
Laulima
groups
Google groups
The
exclusive LISTSERV list management mechanism (as a capability).
Slide48University of Hawaii © 201548
UHIMS Dreams & Blue Sky Visions
Hands-on App Developer Workshops
CAS Authentication, externalized AuthN
UH Groupings, externalized
AuthZ
UH Message Broker, messaging/decoupling
UHIMS
Events
Slide49University of Hawaii © 201549
UHIMS Dreams & Blue Sky Visions
ACER Integration
A full function Acknowledgements and Certifications management solution.
System-wide online General Confidentiality Notices acceptance assertions.
System-wide online criminal background check assertions.
ACER enforcement for
app access Authorizations
.
Slide50University of Hawaii © 201550
UHIMS Dreams & Blue Sky Visions
Personal Profile Management
View access to directory information.
Ability to change select directory information as needed.
Access to Group memberships.
Ability to opt-in/out of Groups as permitted.
Access to attribute release policies.
Ability to opt-in/out attribute release policies as permitted.
Slide51For the Pragmatic, the UHIMS Ecosystem
Michael HodgesITS, Identity and Access Management
University of Hawaii © 2015
51